CISA warned U.S. organizations to follow Microsoft guidance to strengthen the Intune endpoint management tool after a cyberattack exploited it to wipe medical technology giant Stryker's systems.
Microsoft published guidance on hardening Intune administrative controls days after Stryker was breached in an incident claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group.
The hackers claim that they stole 50 terabytes of data before using the built-in wipe command in Microsoft's Intune cloud-based endpoint management tool to wipe nearly 80,000 devices in the early morning of March 11.
Now, CISA urged all U.S. organizations to harden their Intune environments to make them more resilient against similar attacks that could target their own networks.
"CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment," the U.S. cybersecurity agency said on Wednesday.
"To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert."
CISA's list of recommendations applies to Microsoft Intune and other endpoint management software, and it requires IT administrators to use a least-privilege approach for admin roles, assigning only the necessary permissions through Microsoft Intune's role-based access control (RBAC).
Admins should also enforce MFA and privileged-access hygiene to block unauthorized access to privileged actions in Intune (via Microsoft Entra ID features such as Conditional Access, risk signals, and MFA) and require multi-admin approval for changes to sensitive actions, such as device wipes, application updates, and RBAC modifications.
"When combined, these practices help you shift from relying on 'trusted administrators' toward building a more protected administration by design: least-privilege to contain impact, Microsoft Entra-based controls to ensure users are trusted and are who they say they are, and multi-admin approval to govern the changes that matter most," Microsoft says.
Handala (also known as Handala Hack Team, Hatef, Hamsa), the group that claimed responsibility for the Stryker cyberattack, emerged in December 2023 as a hacktivist operation targeting Israeli organizations with Windows and Linux data-wiping malware.
They have been linked to Iran's Ministry of Intelligence and Security (MOIS) and are known for stealing and leaking sensitive data from compromised systems.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns that have already compromised thousands of accounts.
0
Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992.
0
An international law enforcement action called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages.
0
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22.
0
Geopolitical tensions are driving destructive cyberattacks designed to disrupt operations, not demand ransom. CISOs must limit lateral movement and contain breaches to reduce the impact of wiper campaigns.
0
This refurbished Surface Pro 6 is available for just $229.99 (MSRP $849.99) for a limited time. With its slim design and reliable specs, it's a practical option for anyone who wants a portable Windows device without spending a fortune.
0
North Carolina musician Michael Smith has pleaded guilty to collecting over $10 million in royalty payments through a massive streaming royalty fraud scheme on Spotify, Apple Music, Amazon Music, and YouTube Music.
1
Authorities from the United States, Germany, and Canada have taken down Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets to infect Internet of Things (IoT) devices.
0
Microsoft says the March Windows 11 update breaks sign-ins with Microsoft accounts across multiple Microsoft apps, including Teams and OneDrive.
0
A North Carolina man was found guilty of extorting a D.C.-based technology company while still being employed as a data analyst contractor.
0
Navia Benefit Solutions, Inc. (Navia) is informing nearly 2.7 million individuals of a data breach that exposed their sensitive information to attackers.
0POST SCRIPT: Musk’s lawyers said that they will appeal the ruling. “We view today’s verdict, where the jury found both for and against the plaintiffs and found no fraud scheme, as a bump in the road,” the legal team at Quinn Emanuel Urquhart & Sullivan said in a statement.
Musk, who is an extremely active user of X, has not yet commented on the jury’s decision.
A defense facility in the Czech Republic linked to the Israeli weapons manufacturer Elbit Systems was set ablaze on March 20, 2026, in what is being investigated as a possible act of terrorism. A group calling itself the "Earthquake Faction" claimed responsibility for the arson attack. . .The company, however, has denied any ties to Israel, insisting its production primarily flows to Ukraine.
The Earthquake Faction, which describes itself as “an internationalist underground network,” posted a video purportedly showing the arson attack on an industrial facility in the Czech town of Pardubice on Friday, along with images of the burned-out building.
Firefighters extinguished the blaze, no injuries were reported, and police said there was no danger to the public. Footage from the scene suggested the warehouse was destroyed and an adjacent administrative building badly damaged by the fire. Officials said the incident is being treated as a suspected terrorist attack.
The facility was operated by LPP Holding, a Czech arms manufacturer producing civilian and military equipment. The company has denied having any ties to Israel, insisting it merely considered cooperation with Elbit Systems in 2023, but it never came to fruition. LPP Holding noted that it has been supplying Ukraine with sophisticated drone systems, prompting local media to point fingers at Moscow over the blaze.
The Czech Republic, an EU and NATO member, is a close ally of Israel. Czech officials have supported US and Israeli military actions against Iran and condemned Iranian missile and drone attacks.
ACTION SCENE: YouTube Holly - Bolly Cuts · 20 hours ago गुंडों को चकमा देकर जहाज़ लेकर भागे Tintin और Ship Captain 😳 | The Adventures of...
